CyberEye

By Patrick Marshall

New malware waits for a mouse click before executing

Malware writers have come up with a gift for us this Christmas season: Code that monitors its environment before executing. If nothing is stirring, not even a mouse, it remains quiet, hiding itself.

“Until the left mouse button is released, the code will remain dormant making it immune from automated analysis by a sandbox,” FireEye researchers wrote in a recent blog post about a new Trojan they call Upclicker.

This is important because with the huge number of malware variants out there — Symantec estimates the number of new variants at more than a million a day — signature-based detection tools cannot keep up with the onslaught, and users increasingly rely on sandboxing and automated analysis to detect the bad actors on their computers. These tools look at what a piece of code actually does to decide whether it should be allowed to run.

Malware writers know this and look for ways to hide. Symantec, back in October, issued an alert that some malware has begun monitoring its surroundings to determine whether it is in a virtual environment (i.e., a sandbox), where it can be tricked into revealing itself. One effective technique is for the malware to watch for mouse activity, a reliable indicator of human involvement. If the malware does not receive its prompts from a mouse click, it assumes it is in a sandbox and remains quiet, hoping to be released into the machine, where it can do its job.

FireEye researchers analyzed the new Trojan Upclicker, which uses this technique to hide. Only when executed with a left-click from a mouse does it inject malicious code into the browser, which opens a communications channel with a command server.

Neither Symantec nor FireEye as yet offer any specific suggestions for thwarting this behavior, although FireEye warned that “we expect to see more such samples that can use a specific aspect like pressing specific keys, specific mouse buttons, or movement of the mouse a certain distance to evade the automated analysis.”

In the ongoing cat-and-mouse game of cybersecurity it is likely that defensive techniques will be developed to address these threats. Signatures could be developed to look for the “hook” commands in the malware that monitor mouse or other activity, or the analysis tools might be able to detect this monitoring activity and flag it as suspicious.

Whatever solution we end up with, it is all but certain that the bad guys will come up with a new way around it. Just more things for us to worry about.